Understanding harmful activity and its operating models (advanced)

Defenders need to have ways to understand even complex cybercriminal activity. For this purpose, various models have been developed. Some of them are examined in this section.

Attack trees (advanced)

An attack tree is a visual model of a system’s security during an attack. The root node of an attack tree is the goal of the attack, and the child nodes are the ways in which the attacker can achieve that goal. As one moves away from the root, child nodes become sub‑goals, and their child nodes represent ways to achieve those sub‑goals. The connection of child nodes to a node may be of the “or” type, meaning that they represent alternative ways of achieving the goal. When the connection is of the “and” type, the child nodes represent steps that must all be taken to achieve the goal.

The figure shows an example of an attack tree. In the example, the attacker can break into a server either by exploiting a vulnerability or by obtaining a password. If the attacker exploits a vulnerability, they can, for example, develop a method for exploiting the vulnerability or purchase one. If the attacker decides to break in using a password, they must first obtain it. To do so, the attacker might use a keylogger, guess the password, or extort it from its owner. The tree could be extended further, for example by considering the different ways in which extortion might be carried out.

Kill chains (advanced)

Kill chains can be used to model the different phases of an attack. The model known as CKC, Cyber kill chain, was formalised and branded by the large defence company Lockheed Martin (USA, 2011). In it, the attacker must successfully progress through seven phases:

1. Reconnaissance. The attacker searches for and identifies targets, for example by scanning networks for vulnerable servers or purchasing an email list from underground markets for spam campaigns.
2. Weaponisation. The attacker prepares the attack payload, for example by developing software to exploit a particular vulnerability or by writing a phishing message.
3. Delivery. The attacker delivers the payload to the victim, for example by deploying a malicious web service or sending an email containing malware.
4. Exploitation. A vulnerability in the target is exploited, for example by luring the victim into clicking a malicious link.
5. Installation. The malware installs itself, and the attacker gains access to the victim’s computer.
6. Command and control. The attacker establishes command infrastructure on the victim’s computer and uses it, for example, as part of a botnet.
7. Actions on objectives. The attacker’s monetisation phase, for example stealing sensitive information from the computer and selling it onwards, deploying ransomware, using the machine for cryptomining, and so on.

The defender can counter the attack by applying, depending on the phase, one or more of the following five classes of measures:

1. Detect, for example by using an intrusion detection system.
2. Deny, for example by deploying firewalls or patching vulnerabilities.
3. Disrupt, for example by interfering with the detected attacker’s command‑and‑control communications.
4. Degrade, for example by limiting the attacker’s movement within the network through segmentation.
5. Deceive, for example by luring the attacker into a honeypot.

See the original article (Huthchins et al. 2011) for how these apply to the attack phases.

Attribution of the attacker (advanced)

When discussing harmful activity, attribution is important. Even if the perpetrator cannot be immediately identified, recognising seemingly unrelated cybercrimes as being carried out by the same actors would help in building a legal case against them. Likewise, for example, governments are interested in identifying those responsible for cyberattacks. Of particular interest here is the possibility of showing, with more or less certainty, that a state actor was responsible.

Attribution

Identifying, locating and, where necessary, holding legally accountable the perpetrator of an offensive cyber operation.

Attribution is, however, difficult in the case of cyberattacks. The perpetrator of an offensive cyber operation often uses compromised computers, servers and other network‑connected devices. For this reason, the perpetrator cannot be located on the basis of an IP address, which makes identification and localisation difficult. In addition, differing legal practices between states may prevent or hinder bringing the perpetrator to legal accountability, even if they have been identified and located. This is known as the attribution problem. Cross‑border law enforcement has been discussed briefly in the law module.

It is reasonable to assume that the same actors follow similar patterns in their attacks and use the same software to exploit vulnerabilities when breaking into victims’ systems. These characteristics could potentially be used to identify attackers. However, there are challenges here, as many cybercriminals use, for example, exploit kits or other purchased services. In addition, attacks may be disguised for the purpose of deception. For example, state actors may use characteristics typical of another state and thus deflect blame towards it.

Posting submission...